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What actually happens during a ransomware attack? We follow a real case involving
the REvil ransomware - from initial infection and negotiation, through to the
cryptocurrency payment and laundering of the funds.
The scale and severity of ransomware attacks continue to grow. Cybercriminal groups such
as DarkSide have received hundreds of millions of dollars in cryptocurrency ransom
payments, having crippled critical infrastructure providers such as Colonial Pipeline. In early
July, hundreds of businesses were infected with REvil ransomware (also known as
Sodinokibi), through an attack on Kaseya - a provider of IT management software to those
victims.
At Elliptic, we monitor and investigate ransomware groups in order to collect information on
the cryptocurrency wallets they use to receive ransoms. These insights are then made
available in our software, enabling law enforcement to follow the money and potentially
freeze the funds or identify the individuals behind the attacks. Cryptocurrency exchanges
and financial institutions use our software to screen customer deposits for links to these
wallets, and ensure that the ransomware groups cannot cash-out their proceeds.
This research gives us unique insights into the entire lifecycle of a ransomware attack - from
the initial malware infection and ransom demand, through the negotiation and payment
process, and finally the laundering of the funds. In this article we follow one specific attack by
the Russia-linked REvil ransomware group, which took place within the past few weeks.
Some images have been edited to protect the identity of the victim.
1. The victim is infected with the REvil malware
Once the REvil malware has made its way onto the computer system, it encrypts the victim’s
files - leaving behind a text file containing the ransom note, shown below:
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The note directs the victim to a website (the “victim portal”) on Tor (an anonymous version of
the internet often used to host darknet markets), to access further instructions.
2. Accessing the victim portal
The victim portal displays the ransom demand - $50,000 in Monero, a privacy-focused
cryptocurrency that is very difficult to trace. If the ransom is not paid within a certain
timeframe, the ransom will be doubled to $100,000.
The portal provides instructions on where the Monero can be purchased, and where exactly
it should be sent:
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3. Chat support
Similar to an e-commerce site, the portal allows the victim to speak directly to REvil, through
the “Chat Support” tab. Here we see the victim (blue) initiate a conversation with REvil
(green) and begin to negotiate the ransom down:
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4. Verifying that paying a ransom will lead to decryption
The victim then asks for proof that paying the ransom will work - i.e. that their files will be
decrypted. They upload two of their encrypted files, and REvil responds with the proof - the
decrypted files:

5. Requesting payment in Bitcoin instead of Monero
Many ransomware victims find it difficult to obtain the Monero required to pay a ransom (not
many exchanges list it, especially in the US), or do not want to pay in Monero due to
concerns about violating sanctions. Most of the ransomware response companies that
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negotiate and pay on behalf of victims simply refuse to pay Monero ransoms.
In this case the victim has requested to pay in Bitcoin instead and REvil has allowed it, albeit
with a 10% surcharge. This higher amount reflects the increased risk faced by REvil when
accepting Bitcoin payments, due to its traceability. The portal updates to show a Bitcoin
payment address:

6. Negotiating the ransom amount
Having already negotiated a 20% discount on the original $50,000 ransom demand, the
victim goes further - offering just $10,000. They claim that this is all they can pay at such
short notice, but the offer is rejected by REvil. The victim then says that they may be able to
borrow some extra money, and they eventually agree on a ransom payment of $25,000.
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7. Sending the Bitcoin ransom payment
The address that the bitcoin ransom should be sent to is displayed at the top of the portal,
but the victim asks REvil to confirm that it is correct. Cryptocurrency payments are
irreversible, so it is important to verify the destination address before making a transaction.
The victim sends the $25,000 in Bitcoin, and REvil confirms that they have received it:
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8. The decryption tool is provided
Once the ransom is paid, the victim portal updates to provide access to the decryptor. (Of
course in general there is no guarantee that such a tool will be provided.)
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For the victim, the process is now complete. They can use the decryptor tool to regain
access to their files and resume operations.
9. The Bitcoin is laundered
For REvil the next step is to launder and cash-out the Bitcoin ransom payment. The image
below is from our cryptocurrency investigations software, Elliptic Forensics, showing the
destination of the Bitcoin ransom paid by this specific victim. Most exchanges that allow
Bitcoin to be converted into traditional currency make use of Elliptic’s tools in order to trace
customer deposits and ensure that they are not connected to illicit activity such as this.
REvil must therefore attempt to launder the funds and break the transaction trail. They
attempt this by “layering” the funds - splitting them and passing them through many different
wallets, and by mixing them with bitcoins from other sources. This laundering process in this
case is still ongoing, but nevertheless we can already trace some of the funds to exchanges.
Those exchanges will have information on the identities of people whose accounts received
the funds - providing strong leads for law enforcement.
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The victim in this case appears to have been a small business rather than a large
corporation - reflected in the relatively small ransom demanded. Small businesses make up
50-75% of all ransomware victims, and the impact on these attacks can be catastrophic.
At Elliptic we believe that ransomware can be combated by limiting the degree to which the
criminals responsible can profit from their crimes. By mapping and understanding the
cryptocurrency flows from ransomware wallets, we can aid law enforcement and financial
institutions to identify the perpetrators and freeze their funds.
Join our upcoming webinar, on July 29: Tracking Ransomware with Blockchain
Analytics, as we discuss how and why ransomware makes use of cryptocurrency, and
showcase how it can be countered using blockchain analytics - including ‘following the
money’ from cybercriminal wallets.

Disclaimer
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